Login and Logout with Chrome

funkeye

Hi Guys,
first i thought it's just my browser, but i got the same problem in my office chrome and at home.

Whats the Problem?
With Google Chrome (not the incognito tab - there it works) i can't use login to access my site.

i click login, modal shows up, i enter my user information and try to login
login button is spinning
after this. the modal is hiding but as normal, but i'm not logged in

The only way in this case is to use the "remember me" checkbox.

Now - in this case - the problem is to use the log out button.
I click on it and it redirects me to domain.tld/logout?token=<token>
On a click on log out, it just redirects me again with another token

Here a list of my extensions in Chrome. And yes - i turned off ABP for testing.

With Chrome in incognito mode or Firefox it works like alyways.
Any idea whats the problem is?

thanks for your help
Daniel

luceos

funkeye are you able to pop up the network tab of your browser, enable preserve log and then seeing what exact URL's are hit when you click that final log out button?

funkeye

luceos
Chrome - NORMAL tab
Request URL: https://www.domain.tld/logout?token=p3Y7vthNCcgfoaq6fbSnLOt83TmcpwRGQwJ02SDx Request Method: GET Status Code: 200
Response Headers:
accept-ranges: bytes age: 0 cache-control: max-age=0 content-encoding: gzip content-length: 972 content-type: text/html; charset=utf-8 date: Wed, 05 Aug 2020 10:38:28 GMT expires: Wed, 05 Aug 2020 10:38:28 GMT server: Apache set-cookie: flarum_session=L3VPHzh14bYI7LfL9zTuCnyvKR2kjd6EUhwJBHE8; Path=/; Expires=Wed, 05 Aug 2020 12:38:28 GMT; Max-Age=7200; Secure; HttpOnly status: 200 strict-transport-security: max-age=15768000 vary: Accept-Encoding x-csrf-token: rgFkZA8Wp5qXlkU83ReN9SIO1Zsb08vBnXUPHIU2

Chrome - Incognito - Tab
Request URL: https://www.domain.tld/logout?token=CkC3W7515QwJFWXwhRwvenypwsSf65sCLEJRNYWn Request Method: GET Status Code: 302 Remote Address: 77.244.243.24:443 Referrer Policy: no-referrer-when-downgrade

Response Header:
age: 0 cache-control: max-age=0 content-length: 0 content-type: text/html; charset=UTF-8 date: Wed, 05 Aug 2020 10:44:44 GMT expires: Wed, 05 Aug 2020 10:44:44 GMT location: https://www.domain.tld server: Apache set-cookie: flarum_remember=; Path=/; Expires=Wed, 05 Aug 2015 10:44:45 GMT; Secure; HttpOnly set-cookie: flarum_session=ppqpKg69rAChT69rtaeYo1DNBvYvN8ChM8jWtly0; Path=/; Expires=Wed, 05 Aug 2020 12:44:45 GMT; Max-Age=7200; Secure; HttpOnly status: 302 strict-transport-security: max-age=15768000 x-csrf-token: AQCz72aRFhDq7gF94MhzIZU9a9k3I1ZOtathChoC
As you can see, the buggy request gets an status code 200 and the right one a 302 with an redirect to the page

After take a closer look at LogOutController the problem is the CSRF token:

// If a valid CSRF token hasn't been provided, show a view which will // allow the user to press a button to complete the log out process.

funkeye

i think i got it.. On the old server, the pages was build with an WBB. I think there was something in the local storage or temporary data.
I removed all this things and now it works